Way OT: SSH worries

William Burns William.Burns at AEROFLEX.COM
Tue Aug 17 23:52:39 IST 2004


<x-flowed>
John:

Maybe I'm confused?
Do we have the same point?

John Rudd wrote:

>William Burns wrote:
>
>
>>Back to stunnel:
>>
>>Following the "do no harm" philosophy, I use telnet to access a program
>>that puts an *additional* level of  security in front of sshd.
>>
>>
>or OpenSSH, which uses OpenSSL code.  Which was my point: Stunnel is in
>the same risk category as OpenSSH (assuming you're using openssh, which
>may have been an inappropraite assumption on my part).  Using Stunnel is
>no more risky than using OpenSSH, AFAICT.
>
>

I *dont* want to use stunnel to shield OpenSSH(d) from a worm, exactly
because they're in the same risk category.
That'd be like protecting my door w/ two masterlock (tm) padlocks. If
someone knows how to break that brand of lock, they're in.
If there's a worm that can exploit sshd, how do I know it can't exploit
stunnel as well?

I want to avoid having ssl protected sessions terminated on some of my
boxes 'cause the ssl sessions themselves (the transport) can be attacked.
I'd prefer an SSL attacking worm to meet-up w/ a dumb-as-rocks telnet
session instead.
Odds are that the worm won't be able to guess my pass-phrase.

Back to the padlock analogy, I've got a decent padlock, but before you
get to that, you have to go through one of those lame simplex
push-button locks.
Anyone w/ a few hours to kill can get past a simplex lock, but probably
not the padlock.
If someone knows how to beat the padlock, they'll probably apply that
skill elsewhere, instead of wasting the hours necessary to guess the
simplex combo.

Plus, add to that the fact that you can only access my padlock from
certain IP addresses and I'm feeling pretty safe.

-Bill

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
</x-flowed>



More information about the MailScanner mailing list